Reverting on a question of using multiple nics 7 years ago ;)

[lowlander]

Hi,

Segmenting networks is more and more important these days. We don't want our backup environment being exposed to get compromised. Since VMware came up with the NFC option for a VMkernel adapter that can be used for backup traffic, my view on multiple network adapters in Veeam servers changed slightly. My current view is to connect all Veeam servers that use are managed by VBR should be placed in a dedicated backup network using a single network adapter. As stated in the forums, using multiple network adapters is technically working but the underlying OS and routing infrastructure is responsible for the connection between components (network order, firewall configuration, static routes etc). To avoid fingerpointing in case of connectivity issues (apart from the addition of complexity), one NIC seems for me the way to go. Another big one is that for this configuration the network department can monitor and detect (IDS/IPS) all suspicious traffic that is leaving and entering the backup network. Adding some local hardening (e.g. OS firewall/AV) gives you additional protection.

What is your view on using multiple network adapters in general and per component:
- Veeam Backup and Replication Server;
- Veeam Proxy server;
- Veeam Repository server;
- Veeam Gateway server;
- VMware second VMkernel adapter based on NFC;

I changed my view slightly, but would like to understand the view of forum members and Veeam on this

[Andreas Neufert]

For the inter Veeam traffic, multiple network adapter are supported and if the components see each other through multiple network, you can specify the preferred networks: https://helpcenter.veeam.com/docs/backu ... ml?ver=110

For VMware NFC/NBD/Management connection you can always use additional VMkernel interfaces. As VMware will give us the full qualified domain name of the ESXi that we need to speak with, Veeam will go to DNS and get the specific IP address for it. This IP address is usually bound to the standard ESXi management interface. To change the processing to another VMkernel interface with IP Address 2 you need to follow this best practices: https://bp.veeam.com/vbr/3_Build_struct ... ution.html

[lowlander]

Thanks Andreas,

regarding the usage of multiple NICs:
- Primary network interface is routable (L3)
- secondary network is non routable (L2), thus isolated and only available for backup purposes.

How about the Veeam Gateway Server ( having two network adapters ) that is used for a SMB backup repository ?

The SMB backup repository ( share ) is accessible within the secondary network.

For the Backup and Replication server, proxy server, esxi host : if we use the secondary network, we add host entries in the corresponding hostfiles. How about the host file on the device that serves the SMB backup repository. Do we also need to add entries in the host file in order to force backup traffic using the secondary network ?

[Andreas Neufert]

You can add the SMB share to the SMB Gateway Server with a separate dedicated network.
If you add the SMB share by name, make sure that DNS of the Veeam Server and Gateway server find it. If you add by IP no change needed. https://helpcenter.veeam.com/docs/backu ... repository

For the ESXi host connection to the non default VMkernel, you need to set IP HOST FQDN entries in the hosts file of all proxies and the backup server. This is independent from the SMB configuration